OWASP New Zealand Day 2010

Introduction

OWASP New Zealand Day 201015th July - Auckland

Introduction

Following the success of the OWASP New Zealand 2009 security conference which attracted more than 150 attendees, the OWASP New Zealand Chapter decided to organise the OWASP New Zealand Day 2010. The event will be held on the 15th July 2010 in Auckland. For those people who missed the first OWASP New Zealand Day, this is a national security conference entirely dedicated to web application security. The intent of the conference is to promote and raise web application security awareness in New Zealand. IT professionals, including security professionals, developers, managers and students are invited to partecipate to this conference.

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Platform or language (e.g. Java, .NET) security features that help secure web applications;

Secure application development;

How to use databases securely in web applications;

Security of Service Oriented Architectures;

Access control in web applications;

Web services security;

Browser security;

PCI.

Conference structure and schedule

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.

Presentations

08:30

Registration

09:00

Welcome to OWASP New Zealand Day 2010Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland

Speakers

We all know SQL Injection and File Inclusion bugs are dangerous. We know they can be used to 'hack you'. But what does this really mean? Do you know the true impact of these bugs? You might think you know the answers, but do you? In this presentation, we will be covering the risk and impact of such vulnerabilities and a demonstration will be shown on how far these bugs can be leveraged.

Scott Bell

Scott Bell is a security consultant at Security-Assessment.com. He has been involved with IT security for seven years and has a passion for Web Application security. Scott has a PhD in reverse-shell-ology and previously performed penetration testing at Yahoo! Inc.

Dean Carter - The Ramblings of an ex-QSA

As a QSA there were a bunch of things Dean was forbidden from discussing.

As an ex QSA some of these matters will remain firmly sequestered inside his kimono - but others things, more general things, can now be shared.

Dean has 30 minutes worth of handy tips, hints, lessons and some brickbats relating to PCI and secure system development that he can now share with the community.

Dean Carter

Dean still remembers the day he first heard about the PCI DSS - he then spent several years trying to convince everyone that the PCI DSS was the bestest thing since the Beatles… not many people listened… they had projects to finish and settings to tweak…

Then Dean joined Security-Assessment.com and became a QSA (PCI power-up!)… people listened! Organisations even paid to listen! A few organisations went so far as to demonstrate their security posture to Dean The QSA. In return he signed their Reports on Compliance. Most made great progress towards compliance… while some simply went in political circles and denied the need to make any effort.

Two years on Dean, the ex-QSA, now works for financial institution where, in between other tasks, he regularly sticks his nose into PCI matters and still firmly believes that the PCI DSS is a positive thing.

Paul Craig – Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned

If your company’s website were hacked tomorrow, would you know what to do?
Forensics is not what you see on CSI, and most people have no idea what they should do in the event of a compromise. What is an appropriate incident response for a company, what do you say to your CEO, when do you involve law enforcement? Do you attempt to solve the forensic case yourself; keeping in mind any action you take may directly affect the evidence, or compromise legal judicial requirements.
This presentation will demonstrate the forensic process for a compromised website, and what an organization should do when they find out they have been compromised. I will use case studies from previous incidents and demonstrate what you should and shouldn’t do when you get pwned.

Paul Craig

My name is Paul Craig, I work as the lead forensic incident responder at Security-Assessment.com and I work with many New Zealand companies who have been compromised. From small websites to large corporations and government agencies, our nation is regularly being defaced and defrauded. IT Forensics is here to pick up the pieces, and it’s my job to spend long nights trying to provide answers to businesses regarding what really happened.

Brett Moore - Insomnia Security - "Don't Try This At Home"

During source code and application reviews a number of common issues are
often seen. Developers making the same mistakes time and time again. There
are also those 'unique' issues that only come up once in a while, when
people handroll their own methods to solve a particular problem.

Over the course of this talk, the speaker will explain and describe a number
of issues that he has seen over the last 24 months in locally developed
code. This is an opportunity to see what local developers are doing wrong,
and why you shouldn't try this at home.

Brett Moore

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Syscan, Kiwicon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

Does the thought of SSL, HTTPS and S/MIME make you squeamish?
Does PKI make you want to scream?
Does encrypting data at rest make you want to bury yourself alive?

Cryptography is an important part of most web applications these days,
and developers and admins need to understand how, why and when to
employ the best and appropriate techniques to secure their servers,
applications, data and the livelihoods of their users.

Join Graeme Neilson (Aura Software Security) and Kirk Jackson (Xero)
for a series of scary stories in "Tales from the Crypt0".

Graeme Neilson

Graeme Neilson is lead security researcher at Aura Software Security,
a security consultancy based in Wellington with clients across the globe.

Kirk Jackson

Kirk Jackson is a developer at Xero, makers of the world's easiest
accounting system.

The security of web applications has traditionally been considered to be
the problem of the company whose servers they were hosted upon. However,
while you can outsource the hosting of web apps, you cannot outsource
the responsibility of ensuring that those apps are secure. Mike and
Quintin set aside their corporate rivalry to demonstrate the gap between
the way things are and the way things should be.

Quintin Russ

Quintin has carved out his own niche in the .nz hosting industry, having
spent a large proportion of the last few years becoming an expert in
both building and defending systems. He now runs enough infrastructure
to ensure he never, ever gets a good night's sleep, and sometimes
doesn't even get to snooze through Sunday mornings. Quintin has a keen
interest in security, especially as it relates to web hosting. This has
ranged from the vicissitudes of shared hosting to code reviews of
popular blogging applications. He has previously presented at ISIG and
Kiwicon 2009.

Mike Jager

Since his arrival at Web Drive in 2004, Mike has been sticking his
fingers into the wall sockets of web hosting. Currently, he herds
packets, mutters at clouds, and sneaks up on web applications, tricking
them into scaling horizontally when they least expect it. Mike holds a
BE in Computer Systems Engineering from the University of Auckland, and
has been spotted presenting recently at NZNOG, APRICOT and the
occasional ISIG meeting.

Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks.
These attacks often result in significant damage against unprepared and vulnerable organisations.

The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

Roberto Suggi Liverani

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with
companies such as Google, Adobe and Opera by reporting and helping to fix security vulnerabilities in their
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
security conferences around the globe.

Please note that CFP is now closed.

Call For Sponsorships (CLOSED)

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Three types of sponsorships are available:

Support Sponsorships: n/a - company covers expenses for international speaker / media company that provides article/coverage on the event

- Publication of the sponsor logo on the event web site.

Silver sponsorship: 1500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.

Gold Sponsorship: 3500 NZD

- Publication of the sponsor logo on the event web site;
- Publication of the sponsor logo on the OWASP New Zealand Chapter page;
- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference;
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event;
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.

Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

funds to OWASP earmarked for OWASP New Zealand Day 2010.

Call for Paper (CLOSED) and review process

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

Name and Surname

Affiliation

Address

Telephone number

Email address

List of the author’s previous papers/articles/speeches on the same topics

Title of the contribution

Type of contribution: Technical or Informative

Abstract (max one A4 style page)

Why the contribution is relevant for OWASP New Zealand 2010

If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered.
If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Conference

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New ZealandMap

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Platform or language (e.g. Java, .NET) security features that help secure web applications;

Secure application development;

How to use databases securely in web applications;

Security of Service Oriented Architectures;

Access control in web applications;

Web services security;

Browser security;

PCI.

Conference structure and schedule

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes. It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors. The detailed agenda of the conference will be available on the web site before the event.